Re: [openssl-users] convert from PEM to DER format or vice versa

Please download the source code and refer to apps/x509.c - this handles the conversion command, such as: openssl x509 -in xxx.pem -inform pem -out xxx.cer -outform DER the function you will look for is i2d_X509_bio On 12 December 2016 at 09:37, Sairam Rangaswamy -X (sairanga - ARICENT TECHNOLOGI

RE: client hello difference 1.0.1e vs 1.0.1f

Took me a while to see, but the difference is in the last line of the client hello. Your working example has MD5+RSA listed as a TLS 1.2 signature pair whereas first doesn't. 0302 SHA-224 DSA 0303 SHA-224 ECDSA 0201 SHA-1 RSA 0202 SHA-1 DSA 0203 SHA-1 ECDSA 000F TLS_DH_RSA_WITH_DES_CBC_SHA 0101

Authority Key ID Extension

Hi, I am looking for advice for an application using openssl, but it's not an openssl problem. We have a situation where an external company has provided us with authentication certificates from a subCA and we have all the cert's back up to the root - openssl verify works fine. Another appli

RE: SSL_ERROR_SYSCALL errno=0

This thread have any relevance to you? http://stackoverflow.com/questions/12885680/pem-read-rsaprivatekey-returns-illegal-seek-when-decrypting-using-openssl-libs From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of hhachem

RE: Need understanding on certutil output.

>From what I remember offhand, the former: 03 81 81 00 is 03 Bit string 81 Length of contents = 1 byte; the top-bit is set to signify that there are more than 127 octets of content 81 the bit string uses 0x81 octets - 129 - corresponds to a 1024 bit key extended to 129 octets to stop number bei

RE: Declare BN_CTX on stack (not BN_CTX*)

[Sorry for top-post - Outlook Web Client] I would say that BN_CTX_init() is deprecated and you should be using BN_CTX * ctx = BN_CTX_new(); Indeed, https://www.openssl.org/docs/crypto/BN_CTX_new.html says BN_CTX_init() (deprecated) initializes an existing uninitialized BN_CTX. This should not

RE: Is aesni-intel module required for openssl

>From https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ch03s02s03.html check with root running "openssl engine -c -tt" Carl From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on beha

RE: OpenSSL 1.0.1e build failure using MinGW, multiple definition of OPENSSL_Uplink

Forgive me if I am wrong, but I didn't think the FIPS 2.0 code base could be used with anything else but MS VC on Windows!? The user guide does not state this explicitly as far as I can see, but the instructions - for building the canister and linking against it - only mention MSVC based comma

RE: Using MD5 certificates in OpenSSL FIPS

ge- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, July 26, 2013 7:39 AM To: openssl-users@openssl.org Subject: Re: Using MD5 certificates in OpenSSL FIPS On Fri, Jul 26, 2013, Carl Young wrote: > As far as I remember,

RE: Using MD5 certificates in OpenSSL FIPS

As far as I remember, the use of MD5 is only allowed in TLS 1 for the specific use within the PRF for key generation as the __combination__ of SHA-1 and MD5 is not considered weak usage. Use of MD5 elsewhere is still disallowed. Carl From: owner-openssl-u

RE: Is it possible to grab CA certificate?

Sorry for top-post - webmail :( In TLS, the server should not send the root certificate - it sends the chain up to, but not including, the root certificate. >From (sorry) http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx Server Certificate Message The server sends its certifica

RE: encrypting video files AES-ECB

You would need to tell everyone your exact command line (with key obfuscated, etc), but I suspect you are not specifying an [consistent] IV to the encrypt and decrypt commands? Carl From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on be

RE: How can I pass data to a running instance of OpenSSL CLI on Windows within a batch file?

I would hope that one of us could provide you something given a week or so... very busy with work currently but I'm sure I could do something in time. Carl From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of John Zavgren [j...@zavgren.com] Sent: 14 November 201

RE: How can I pass data to a running instance of OpenSSL CLI on Windows within a batch file?

Do have really have to use OpenSSL.exe or could you create/use a modified version of that tool that does exactly what you expect? Your "scaling" problem is because of the entropy gathering each time OpenSSL is launched. This takes a significant amount of time, especially compared to the actua

RE: Getting "OpenSSL: Exit: error in SSLv3 read client certificate A" when client connects

Sorry for top-posting - still getting used to this webmail: The only way I can see that the server is "reponsible" for this behaviour is the certificate you are providing. Has that expired or been invalidated in any way at the client? Carl From: owner-openssl-us...@openssl.org [owner-openssl-u

Re: FIPS 140-2 and PBKD

- Original Message - From: "Dr. Stephen Henson" To: Sent: Tuesday, December 01, 2009 6:58 PM Subject: Re: FIPS 140-2 and PBKD On Tue, Dec 01, 2009, carlyo...@keycomm.co.uk wrote: In openssl, if I try to use anything using PBKD (PKCS#5 PBKDF2 in particular) when in FIPS enabled m

Re: pkcs12 command does not work in FIPS mode

- Original Message - From: "Dr. Stephen Henson" On Thu, Jun 18, 2009, Lior Aharoni wrote: I have encountered a problem when trying to use OpenSSL command to decode PKCS12 file, I am using OpenSSL 0.9.8j that was build with FIPS support enabled. snip * Can someone shed light on why

Re: CMS decryption error with engine

- Original Message - From: "Dr. Stephen Henson" On Tue, Jun 16, 2009, Carl Young wrote: How would the engine be expected to pick up the IV, aside from the cipher context? If you look at EVP_cipher_asn1_to_param() you'll see it calls get_asn1_parameters in the EVP_C

Re: CMS decryption error with engine

- Original Message - From: "Dr. Stephen Henson" On Tue, Jun 16, 2009, carlyo...@keycomm.co.uk wrote: Hi, I'm getting failures decrypting a CMS (KEK or KTRI) when using an engine (RSA bsafe). It appears that when the IV ( from EVP_cipher_asn1_to_param) is set into the context, the

Re: FIPS Server

No, you are not FIPS compliant at the server just because your clients are using FIPS compliant crypto modules and security functions. In this case, the client will be using RSA+3TDES in EDE/CBC mode with SHA-1 HMAC, because this is the only available cipher suite on XP that is FIPS compliant (s

Re: FIPS

- Original Message - From: "Kyle Hamilton" To: "openssl-users" Sent: Friday, February 27, 2009 1:14 AM Subject: Re: FIPS Take everything I say here with a grain of salt: I'm not a FIPS expert, and it's entirely possible that I am misinterpreting something that I read. If Steve M wa

PKCS#7 symmetric keys

Hi all, With OpenSSL, can I create PKCS#7 CMS messages just using a pre-shared symmetric key? I just need to package the secret with its encryption algorithm identifier, and the PKCS#7 envelope looks ideal for this. The only additional data that I may wish to add to the message may be the